Re: install a renewed certificate in "My" store

From: Sebastian Rieger (sebastian.rieger_at_gwdg.de)
Date: 05/12/05 

Date: Thu, 12 May 2005 18:18:39 +0200

David Cross [MS] schrieb:
> How are they performing the installation? If they are not using the web
> enrollment pages on the CA, the MMC will not know to perform the association

We enhanced the classic web enrollment pages to allow renewal of
certificates (if you're tough you can take a look at our "german" pages
http://ca3.gwdg.de/renew). The certificate is issued manually (signature
on the csr is checked and so forth...) and after this the user can
download the certificate via http://ca3.gwdg.de/certs/. So they've got a
  DER or PEM file on their desktop which the average user would install
via clicking the right mouse button and choosing "install certificate".
This works fine for new requests - but not for renewed certificates
(using the same public key). The certificate is listed unser "Other
People" this way, using the mmc it's displayed in personal certificates
but without the information, that there is a public key to the
certificate. Strange enough the web enrollment pages (on the page that
offers PKCS10 or CMC import) state that they are capable of getting
"renewal" requests (head line of the page: Submit a Certificate Request
or Renewal Request).
The only way to combine the renewed cert with the "old" private key
seems to be the creation of a new PKCS12 export file - which contains
the new cert (using openssl or the like) - this is far to complex for
ordinary users though...

> between the cert that is installed and the key pair originally generated.
> An alternate to using OpenSSL is to use certutil.exe -repairstore or to use
> certreq.exe to install the cert on the machine if you cannot use the web
> enrollment pages. this whitepaper should provide some help:

These tools are not available on a stock Windows XP. Maybe we can deploy
them automatically...

> Windows Server 2003 advanced certificate enrollment whitepaper:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

Thanks for your help! I knew the whitepaper - but sadly it does not
contain any information about installing renewed certificates.

This is what I get using certutil -repairstore...
Certificate 5 is the old certificate. Certificate 10 is the new one...
the public keys, DNs etc. are the same for both... certificate 10 was
imported using mmc -> certificates of current user -> personal -> import...

First I leaped for joy - the displayed key containers are the same
({937ABC3B-71E1-4798-83D5-AC6DD36D1310}) after using repairstore. But if
I display the cert via mmc or internet options, still it doesn't show
that I've got a corresponding private key... sad but true...

C:\Dokumente und Einstellungen\srieger1>certutil -repairstore -user My 5
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
================ Certificate 5 ================
Serial Number: 7e6ca23200020000028f
Issuer: CN=GWDG-CA Ebene 3 Generic-CA, OU=ca, DC=gwdg, DC=de
Subject: E=sebastian.rieger@gwdg.de, CN=Sebastian Rieger, O=Gesellschaft
fuer wi
ssenschaftliche Datenverarbeitung, L=Goettingen, S=Niedersachsen, C=DE
Non-root Certificate
307.67.0: 0x80070490 (WIN32: 1168):
1.3.6.1.4.1.311.21.8.14768004.2582623.83861.
2669455.4297844.55.6028353.16576290
Template:
1.3.6.1.4.1.311.21.8.14768004.2582623.83861.2669455.4297844.55.6028353
.16576290
Cert Hash(sha1): 89 0b 50 bb 9f 34 ff 7d 9c 8d 12 6a cf 6d b5 f6 c8 f3 12 78
   Key Container = {937ABC3B-71E1-4798-83D5-AC6DD36D1310}
   Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.

C:\Dokumente und Einstellungen\srieger1>certutil -repairstore -user My 10
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
================ Certificate 10 ================
Serial Number: 1517a5840000000000bf
Issuer: CN=GWDG-CA Ebene 3 Generic-CA, OU=ca, DC=gwdg, DC=de
Subject: E=sebastian.rieger@gwdg.de, CN=Sebastian Rieger, O=Gesellschaft
fuer wi
ssenschaftliche Datenverarbeitung, L=Goettingen, S=Niedersachsen, C=DE
Non-root Certificate
307.67.0: 0x80070490 (WIN32: 1168):
1.3.6.1.4.1.311.21.8.14768004.2582623.83861.
2669455.4297844.55.6028353.16576290
Template:
1.3.6.1.4.1.311.21.8.14768004.2582623.83861.2669455.4297844.55.6028353
.16576290
Cert Hash(sha1): 37 22 d5 2b d6 e3 fe 64 15 bb b8 ab 91 d6 d2 78 96 9f 67 9d
   Key Container = {937ABC3B-71E1-4798-83D5-AC6DD36D1310}
   Provider = Microsoft Base Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.

C:\Dokumente und Einstellungen\srieger1>

MfG

Sebastian Rieger